Enabling Ransomware Protection for a HyperScale MediaAgent


If current MediaAgent version of the node is Feature Release 24, you must upgrade the MediaAgent version 24.19 or above and upgrade the Commvault Distributed Storage (CDS) RPM version to 4.5.1 or above. For instructions to upgrade the MediaAgent version, see Updating Commvault Software on a Server. For instructions to upgrade the CDS version, see Installing Operating System Updates on Existing Nodes.

You can enable ransomware protection for a HyperScale MediaAgent. You must enable protection for all the nodes in a HyperScale environment.


You cannot enable ransomware protection for a HyperScale MediaAgent that hosts CommServe.

Before You Begin

  • Review the system requirements and the considerations for ransomware protection.

  • If any disk libraries or mount paths that are mounted are already present on the MediaAgent, you must take a backup of the /etc/fstab system file.

  • You must set the MediaAgent on maintenance mode because the operations in the procedure require a reboot and perform unmount and mount of the disk libraries.

  • If the MediaAgent is a client computer, make sure that there are no active backup or restore operations running on the MediaAgent.


  1. Login to your MediaAgent.

  2. Go to the /opt/commvault/MediaAgent64 directory.

  3. To enable the ransomware protection, run the following command:

    ./cvsecurity.py enable_protection -i InstanceID

    where instanceID is the ID of the instance. For example, Instance001.


    If any disk libraries or mount paths that are mounted are already present on the MediaAgent, then you need not run the protect_disk_library command. The enable_protection command performs the operations that are done by the protect_disk_library command such as updating the context in the /etc/fstab file and performing unmount and mount of the disk library.

  4. Reboot the MediaAgent for the ransomware protection to take effect.

    The reboot operation is required only when you enable the protection for the first time.


    Take the following precautions:

    • Wait for the node to come online after you enable ransomware protection on the node and reboot the node. To ensure that the node is online, verify the start_node operation completes successfully in the /tmp/cvsecurity_hvcmd.log file.

    • To verify that the protection is resumed successfully, run the sestatus command and check that the value for the Current mode parameter is set to enforcing.

    • Verify that the cluster is online and NFS vdisk is mounted. After reboot, you may experience some additional time for the cluster to be up and online depending on the amount of backup data present on the cluster.

    • Verify that the Commvault services are up and running. For instructions, see Using Process Manager to View and Manage Commvault Services.


      Do not enable ransomware protection on another node until you complete the above verification steps on the current node.

    Repeat the above steps on all the nodes in the HyperScale environment.

  5. Turn off the maintenance mode on all the nodes.

  6. For any unauthorized write access to the disk library on the MediaAgent that is protected by ransomware protection, you can configure to receive alerts that you can view in the Event Viewer of the CommCell Console and in the Audit Trail Report of the Command Center. By default, the software monitors the operations on MediaAgent for every 30 minutes, and sends alerts for any unauthorized events. You can use the event code 32:369 to configure alerts for these events. You can use the dRWProtectionAlertInterval additional setting to modify the time interval to monitor.

    For instructions about configuring alerts, see Creating an Alert from the Alert Wizard.

    Make the following selections when you configure alerts:

    • In the General Information window, select Operation for the Category and Event Viewer Events for the Type.

    • In the Entities Selection window, select the MediaAgents for which you want to receive alerts.

    • In the Threshold and Notification Criteria Selection window, select equals to criteria for Event Code, and then enter 32:659 in the box.


Ransomware protection will be enabled in the MediaAgent and can be viewed as follows:

  1. From the navigation pane, go to Manage > Infrastructure.

    The Infrastructure page appears.

  2. Click the MediaAgent tile.

    The MediaAgents page appears.

  3. Click the MediaAgent in which you enabled ransomware

    In the Control section, the Ransomware Protection toggle key will be enabled. (The toggle key will appear grayed out.)

Additional Information

  • The software logs the activities of the ransomware protection in the /var/log/cvsecurity.log file.

  • The software logs any unauthorized activities in the /var/log/audit/audit.log file.